--- title: Mock access token validator description: A mock access token validator is a special access token validator type for development or testing purposes. component: pingdirectory version: 11.0 page_id: pingdirectory:managing_access_control:pd_ds_mock_access_token_validator canonical_url: https://docs.pingidentity.com/pingdirectory/11.0/managing_access_control/pd_ds_mock_access_token_validator.html revdate: August 16, 2024 section_ids: sample-configuration: Sample configuration --- # Mock access token validator A mock access token validator is a special access token validator type for development or testing purposes. A mock access token validator accepts arbitrary tokens without validating whether a trusted source issued them. This allows you to make bearer token-authenticated requests without first setting up an authorization server. Mock access tokens are formatted as plain-text JSON objects using standard JSON web token (JWT) claims. Always provide the boolean `active` claim when creating a mock token. If this value is `true`, the token is accepted. If this value is `false`, the token is rejected. If the `sub` claim is provided, a token owner lookup populates the `TokenOwner` policy request attribute as with the other access token validator types. The following example cURL command shows a mock access token in an HTTP request. ```shell curl -k -X GET https://localhost:1443/directory/v1/Me -H 'Authorization: Bearer {"active": true, "sub":"user.1", "scope":"email profile", "client_id":"client1"}' ``` | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------- | | | Never use mock access token validators in a production environment because they do not verify whether a trusted source issued an access token. | ## Sample configuration The configuration for a mock access token validator resembles the configuration for a JWT access token validator. However, the JSON web signature (JWS) signatures require no configuration because mock tokens are not authenticated. ``` # Create an identity mapper that expects the token subject to be a uid dsconfig create-identity-mapper \ --validator-name "User ID Identity Mapper" \ --type exact-match \ --set enabled:true \ --set match-attribute:uid \ --set match-base-dn:ou=people,dc=example,dc=com # Create the Access Token Validator dsconfig create-access-token-validator \ --validator-name "Mock Access Token Validator" \ --type mock --set enabled:true \ --set evaluation-order-index:9999 \ --set "identity-mapper:User ID Identity Mapper" ``` Learn more about the configuration options for a [mock access token validator](https://docs.ping.directory/PingDirectory/latest/config-guide/mock-access-token-validator.html).